I spend some time this weekend researching how to recover your deleted Safeboot key (in case you don’t have a backup). This How-to is for Windows XP, it shows how to recover the Safeboot key (possibly deleted by a virus like the newest Bagle, see my previous post), not how to remove the malware.
Case 1
If Windows hasn’t been rebooted since the infection and you haven’t made changes to your system configuration since the last boot, follow this procedure:
- Reboot Windows Enter “Windows Advanced Options Menu” by pressing F8 twice after the BIOS splash screen.
- Select “Last Known Good Configuration (your most recent settings that worked)”.
- You can now reboot a second time and select Safe Mode.
Case 2
If Windows has been rebooted since the infection, follow this procedure:
- Start System Restore: (you can find it here: Start / All Programs / Accessories / System Tools / System Restore)
- Select a restore point that predates the infection (i.e. the Safeboot key removal), this may require some trial-and-error if you don’t know exactly when the Safeboot key was deleted
- Confirm the restore operation
- Windows will perform a System Restore and reboot
- Click OK
- You can now reboot a second time and select Safe Mode
Case 3
If you’ve made changes to your system configuration that you want to keep, follow this procedure:
- Follow the steps of case 2
- Start regedit once you’ve booted in Safe Mode
- Navigate to the “HKLM\System\CurrentControlSet\Control\Safeboot” key
- Export the key (right-click export)
- Start System Restore: Start / All Programs / Accessories / System Tools / System Restore
- Select “Undo my last restoration”
- Confirm the restore operation
- Windows will perform a System Restore and reboot
- Click OK
- Select the Safeboot registry file you exported and Merge it to the registry (double click the file)
- Confirm the merge
- You can now reboot again and select Safe Mode.
Didier Stevens 